|Detected||Aug 31 2010 08:22 GMT|
|Released||Aug 31 2010 16:29 GMT|
|Published||Sep 19 2011 12:01 GMT|
A trojan program that downloads files from the Internet without the user's knowledge and launches them. It is a Windows application (PE-EXE file). 6656 bytes. Written in C++.
After launching, the trojan copies its body to the following file:
C:\Program Files\Common Files\seria.exeThe created copy is then launched for execution.
To delete the original file after shutting down, the trojan creates the shell script "Del.bat" in the current user temporary file directory "%Temp%" with the following content:
@ping -n 3 127.0.0.1>nul @del /F /Q "<full path to the original trojan file>" @del /F /Q "<full path to the original trojan file>" @exitThe created script is then launched for execution. The script file is also deleted.
After launching, the trojan carries out the following actions:
C:\Program Files\Regrun.dat C:\Program Files\Regrun.bat as follows: @reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 36OSafeUpdate /t REG_SZ /d "C:\Program Files\Common Files\seria.exe" /f
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "36OSafeUpdate" = "C:\Program Files\Common Files\seria.exe"The trojan is therefore automatically launched every time the system is started.
net stop sharedaccess
http://list.h***i2.com:6668/Down/list.txtThe downloaded data is saved in the following file:
d:\WinsUp\kb75818<rnd>.exewhere <rnd> is random numbers.
After successful download, the files are launched for execution. These links did not work when creating the description.
If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:
C:\Program Files\Common Files\seria.exe C:\Program Files\Regrun.dat c:\Program Files\nowlist2.dat
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "36OSafeUpdate" = "C:\Program Files\Common Files\seria.exe"
This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.
This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.